2 Advanced Endpoint Protection Overview Advanced Endpoint Protection Overview Advanced Endpoint Protection Overview Cyber-attacks are attacks performed on networks or endpoints to inflict damage, steal information, or achieve other goals that involve taking control over computer systems that belong to others. Adversaries perpetrate cyber-attacks either by causing a user to unintentionally run a malicious executable, or by exploiting a weakness in a legitimate executable to run malicious code behind the scenes without the knowledge of the user. One way to prevent these attacks is to identify executables, dynamic-link libraries (DLLs), or other pieces of code as malicious, and then prevent them from running by testing each potentially dangerous code module against a list of specific, known threat signatures. The weakness of this method is that signature-based solutions take time to identify newly created threats known only to the attacker (also known as Zero-Day attacks or exploits) and add them to lists of known threats, leaving the endpoint vulnerable until the signatures are updated. The Advanced Endpoint Protection solution, which consists of a central Endpoint Security Manager and endpoint protection software called Traps, takes a more effective approach to preventing attacks. Rather than trying to keep up with the ever-growing list of known threats, Traps sets up a series of roadblocks that prevent the attacks at their initial entry points, when legitimate executables are about to unknowingly allow malicious access to the system. Traps targets software vulnerabilities in processes that open non-executable files using exploit prevention techniques. Traps also uses malware prevention techniques to prevent malicious executable files from running. Using this two-fold approach, the Advanced Endpoint Protection solution can prevent all types of attacks, whether they are known or unknown threats. All aspects of endpoint security settings the endpoints and groups to which they are applied, the applications they protect, the defined rules, restrictions and actions are all highly configurable. This allows each organization to tailor Traps to its needs so that it provides maximum protection with minimal disruption of day-to-day activities. Exploit Prevention Malware Prevention Exploit Prevention An exploit is a sequence of commands that takes advantage of a bug or vulnerability in a software application or process. Attackers use exploits as a means to access and use a system to their advantage. To gain control of a system, the attacker must bypass a chain of vulnerabilities in the system. Blocking any attempt to exploit a vulnerability in the chain will block the exploitation attempt entirely. In a typical attack scenario, an attacker uses attempts to gain control of a system by first attempting to corrupt or bypass memory allocation or handlers. Using memory-corruption techniques such as buffer overflows and heap corruption, the hacker can then trigger a bug in software or exploit a vulnerability in a process. The attacker must then manipulate a program to run code provided or specified by the attacker and evade detection. If the attacker gains access to the operating system, the attacker could then upload Trojan horses, malware programs that contain malicious executables, or otherwise use the system to their advantage. Traps prevents such exploit attempts by employing roadblocks or traps at each stage of the exploitation attempt. 2 Advanced Endpoint Protection Administrator s Guide

3 Advanced Endpoint Protection Overview Advanced Endpoint Protection Overview When a user opens a non-executable file, such as a PDF or Word document, the Traps agent seamlessly injects drivers into the software that opens the file. The drivers are injected at the earliest possible stage before any files belonging to the process are loaded into memory. If the process that opens the file is protected, Traps injects a code module called an Exploitation Prevention Module (EPM) into the process. The EPM targets a specific exploitation technique and is designed to prevent attacks on program vulnerabilities based on memory corruption or logic flaws. Examples of attacks that the EPMs can prevent include: Memory corruption Java code from running in browsers, under certain conditions Executables from spawning child processes, under certain conditions Dynamic-link library (DLL) hijacking (replacing a legitimate DLL with a malicious one of the same name) Hijacking program control flow Inserting malicious code as an exception handler In addition to automatically protecting processes from such attacks, Traps reports any prevention events to the Endpoint Security Manager, and performs additional actions according the settings of the policy rules. Common actions that Traps performs include collecting forensic data and notifying the user about the event. Traps does not perform any additional scanning or monitoring actions. The default endpoint security policy protects the most vulnerable and most commonly used applications, but you can also add other third-party and proprietary applications to the list of protected processes. For more information, see Add a Protected, Provisional, or Unprotected Process. Malware Prevention Malicious executable files, known as malware, are often disguised as or embedded in non-malicious files. These files, sometimes referred to as Trojan horses, can harm computers by attempting to gain control, gather sensitive information, or disrupt the normal operations of the system. To protect endpoints from malicious executable files, Traps employs the Malware Prevention Engine as another type of security roadblock. The Malware Prevention Engine uses a combination of policy-based restrictions and malware prevention modules to limit the surface area of an attack and control the source of file installation such Advanced Endpoint Protection Administrator s Guide 3

4 Advanced Endpoint Protection Overview Advanced Endpoint Protection Overview as from external media. The Malware Prevention Engine also uses technique-based mitigations that limit or block child processes, Java processes initiated in web browsers, creation of remote threads and processes, and execution of unsigned processes. When a user or machine attempts to open an executable, Traps first verifies that the executable does not match any restriction policy rules. If a restriction policy rule, such a folder restriction, applies to the executable, Traps blocks the attempted launch and reports the security event to the Endpoint Security Manager. If no restriction policy rules apply and WildFire is enabled, Traps creates a file hash and checks it against a local cache of hash values. If the file hash is unknown in the local cache, Traps forwards the hash value to the Endpoint Security Manager which checks its local database. If the file hash is unknown in the local database, the Endpoint Security Manager forwards the hash value to WildFire which responds with the results of the hash lookup, either malicious, benign, or unknown. If any of the file hash checks reveals that an executable is malicious, no further checking is done: Traps reports the security event to the Endpoint Security Manager and handles the executable as determined by the security policy. Common actions that Traps performs include preventing the file from executing, collecting forensic data, and notifying the user about the event. Traps does not perform any additional scanning or monitoring actions. If any of the file hash checks reveals that an executable is benign, no further checking is done: Traps allows the executable file to continue. 4 Advanced Endpoint Protection Administrator s Guide

6 Advanced Endpoint Protection Components Advanced Endpoint Protection Overview Endpoint Security Manager Console The Endpoint Security Manager (ESM) Console is a web interface that provides an administrative dashboard for managing security events, endpoint health, and policy rules. You can install the web interface on the same server as the ESM Server, on a separate server, or on a cloud-based server. The ESM Console communicates with the database independently from the ESM Server. Endpoint Security Manager Server On a regular basis, the Endpoint Security Manager (ESM) Server retrieves the security policy from the database and distributes it to all Traps agents. Each Traps agent relays information related to security events back to the ESM Server. The following table displays the types of messages that the Traps agent sends to the ESM Server: Message Type Traps status Notifications Update messages Prevention reports Description The Traps agent periodically sends messages to the ESM Server to indicate that it is operational, and to request the latest security policy. The Notifications and Health pages in the Endpoint Security Manager display the status for each endpoint. By default, the duration between messages, known as the heartbeat period, is 5 minutes; the heartbeat period is configurable. The Traps agent sends notification messages about changes in the agent, such as the start or stop of a service, to the ESM Server. The server logs these notifications in the database. You can view the notifications in the Endpoint Security Manager. By default, Traps sends notifications every two hours. An end user can request an immediate policy update by clicking the Update now button in the Traps console. This causes the Traps agent to request the latest security policy from the ESM Server without waiting for the end of the heartbeat period. If a prevention event occurs on an endpoint where the Traps agent is installed, the Traps agent reports all of the information pertaining to the event to the ESM Server in real-time. Database The database stores administrative information, security policy rules, endpoint history, and other information about security events. The database is managed over the MS-SQL platform. Each database requires a license and can communicate with one or more ESM Servers. The database may be installed on the same server as the ESM Console and ESM Server, such as in a standalone environment, or the database can be installed on a dedicated server. During the proof-of-concept stage, the SQLite database is also supported. 6 Advanced Endpoint Protection Administrator s Guide

7 Advanced Endpoint Protection Overview Advanced Endpoint Protection Components Endpoints An endpoint is a Windows-based computer, server, virtual machine, or mobile device running the client-side protection application called Traps. Traps Traps is comprised of a console that provides a user-interface application, an agent that protects the endpoint and communicates with the ESM Server, and the service that collects forensic data. The Traps agent protects the endpoint by implementing the security policy defined for the organization in the Endpoint Security Manager. When a user creates or opens a protected process on the endpoint, the Traps agent injects its drivers into the process at the earliest possible stage, before the process files are loaded into memory. The agent also protects the Traps software from being disabled or uninstalled. If the Traps agent encounters a prevention event, the Traps service collects forensic information and transmits data related to the event back to the Endpoint Security Manager. The Traps service is also responsible for communicating status information about the endpoint on a regular basis. The Traps console displays information about protected processes, event history, and current security policy. Usually, users will not need to run the Traps console, but the information can be useful when investigating a security-related event. You can choose to hide the console tray icon that launches the console, or prevent users from launching it altogether. For more information, see Hide or Restrict Access to the Traps Console. External Logging Platform The Endpoint Security Manager can write logs to an external logging platform, such as security information and event management (SIEM), Service Organization Controls (SOCs), or syslog, in addition to storing its logs internally. Specifying an external logging platform allows an aggregated view of logs from all ESM Servers. Advanced Endpoint Protection Administrator s Guide 7

8 Advanced Endpoint Protection Components Advanced Endpoint Protection Overview WildFire The Traps agent is designed to block attacks before any malicious code can run on the endpoint. While this approach ensures the safety of data and infrastructure, it enables the collection of forensic evidence only at the moment of prevention. Thus, it cannot fully reveal the purpose of the attack or its entire flow. The WildFire service is an optional, post-prevention analysis system that performs forensic analysis of malicious files. Enabling WildFire Integration allows the Endpoint Security Manager to create a file hash from the executable file and check it against the WildFire Cloud. If WildFire confirms that a file is known malware, the Traps agent blocks the file for future exposures and notifies the Endpoint Security Manager. As WildFire detects new malware, it generates new signatures within the hour. Palo Alto Networks next-generation firewalls equipped with a WildFire subscription can receive the new signatures within 15 minutes; firewalls with only a Threat Prevention subscription can receive the new signatures in the next Antivirus signature update within hours. If WildFire Integration is enabled in the Endpoint Security Manager, the Status page of the Traps console displays a next to Anti-Malware Protection. If WildFire is not enabled, the Traps console displays a next to Anti-Malware Protection. For more information, see Enable WildFire. Forensic Folder When Traps encounters a security-related event, such as a file execution, interference with the Traps service, or an exploit attack, it logs real-time forensic details about the event on the endpoint. The forensic data includes the event history, memory dump, and other information associated with the event. You can retrieve the forensic data by creating an action rule to collect the data from the endpoint. After the endpoint receives the security policy that includes the action rule, the Traps agent sends all the forensic information to the forensic folder, which is sometimes referred to as the quarantine folder. During the initial installation, you specify the path of the forensic folder that the Endpoint Security Manager uses to store forensic information that it retrieves from the endpoints. The path can be local to the server or on the network and must allow all endpoints to write to the folder. You can change the path to the folder at any time using the Endpoint Security Manager. 8 Advanced Endpoint Protection Administrator s Guide

WildFire Overview WildFire provides detection and prevention of zero-day malware using a combination of malware sandboxing and signature-based detection and blocking of malware. WildFire extends the capabilities

WildFire Reporting When malware is discovered on your network, it is important to take quick action to prevent spread of the malware to other systems. To ensure immediate alerts to malware discovered on

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protecting a business s IT infrastructure is complex. Take, for example, a retailer operating a standard multi-tier infrastructure

Carbon Black and Palo Alto Networks Bring Together Next-Generation Endpoint and Network Security Solutions Endpoints and Servers in the Crosshairs of According to a 2013 study, 70 percent of businesses

Persistence Persistence Mechanisms as Indicators of Compromise An automated technology for identifying cyber attacks designed to survive indefinitely the reboot process on PCs White Paper Date: October

Keeping Windows 8.1 safe and secure 14 IN THIS CHAPTER, YOU WILL LEARN HOW TO Work with the User Account Control. Use Windows Firewall. Use Windows Defender. Enhance the security of your passwords. Security

Practical Threat Intelligence with Bromium LAVA Practical Threat Intelligence Executive Summary Threat intelligence today is costly and time consuming and does not always result in a reduction of successful

WildFire Cloud File Analysis The following topics describe the different methods for sending files to the WildFire Cloud for analysis. Forward Files to the WildFire Cloud Verify Firewall File Forwarding

Symantec Endpoint Protection Small Business Edition 12.1.2 Installation and Administration Guide Symantec Endpoint Protection Small Business Edition Installation and Administration Guide The software described

Complete and high performance protection where you need it Overview delivers high-performance protection against physical and virtual server downtime with policy based prevention, using multiple protection

Sophos Endpoint Security and Control Help Product version: 11 Document date: October 2015 Contents 1 About Sophos Endpoint Security and Control...5 2 About the Home page...6 3 Sophos groups...7 3.1 About

Symantec Endpoint Protection Small Business Edition 12.1.2 Getting Started Guide Symantec Endpoint Protection Small Business Edition Getting Started Guide The software described in this book is furnished

HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target

Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION MOST OF THE IMPORTANT DATA LOSS VECTORS DEPEND ON COPYING files in order to compromise

Client Guide for Symantec Endpoint Protection and Symantec Network Access Control Client Guide for Symantec Endpoint Protection and Symantec Network Access Control The software described in this book is

Overview Password Manager Pro offers a complete solution to control, manage, monitor and audit the entire life-cycle of privileged access. In a single package it offers three solutions - privileged account

Cyber Security in Taiwan's Government Institutions: From APT To Investigation Policies Ching-Yu, Hung Investigation Bureau, Ministry of Justice, Taiwan, R.O.C. Abstract In this article, we introduce some

Docufide Client Installation Guide for Windows This document describes the installation and operation of the Docufide Client application at the sending school installation site. The intended audience is

K7 Business Lite User Manual About the Admin Console The Admin Console is a centralized web-based management console. The web console is accessible through any modern web browser from any computer on the

ESET Mobile Security Business Edition for Windows Mobile Installation Manual and User Guide Click here to download the most recent version of this document Contents 1. Installation...3 of ESET Mobile Security

How to easily clean an infected computer (Malware Removal Guide) Malware, short for malicious (or malevolent) software, is software used or programmed by attackers to disrupt computer operation, gather

Getting Started Guide Before you set up your account, you may want to spend a few minutes thinking about what you want to get out of Flextivity. Of course, Flextivity helps you successfully manage basic

SYMANTEC ENDPOINT PROTECTION SMALL BUSINESS EDITION Frequently Asked Questions WHAT IS SYMANTEC ENDPOINT PROTECTION SMALL BUSINESS EDITION 1? Symantec Endpoint Protection Small Business Edition is built

ADVANCED THREATS IN THE ENTERPRISE Finding an Evil in the Haystack with RSA ECAT White Paper With thousands of workstations and servers under management, most enterprises have no way to effectively make

_Firewall Palo Alto Networks is the next-generation firewalls that enhance your network security and enable any enterprises to look beyond IP addresses and packets. These innovative firewalls let you see

White Paper Content Security: Protect Your Network with Five Must-Haves What You Will Learn The continually evolving threat landscape is what makes the discovery of threats more relevant than defense as

FOR MAC Quick Start Guide Click here to download the most recent version of this document ESET Cyber Security Pro provides state-of-the-art protection for your computer against malicious code. Based on

Secure By Default: Platforms Computing platforms contain vulnerabilities that can be exploited for malicious purposes. Often exploitation does not require a high degree of expertise, as tools and advice